A page to show up #1 on Google when searching for "Jeremiah" (Currently #4). Only the prophet and TV show left! I have the edge, TV show is cancelled and the prophet isn't generating any new content.

The prophet, TV show, and that pesky Owyang guy going down!A page to show up #1 on Google when searching for "Jeremiah Grossman", and it FINALLY has!

Friday, August 25, 2006

I know what you've got (Firefox Extensions)

Update: I removed the JS PoC from the template. Was messing up IE.Update: Some generous person, who sadly didn't leave their name, supplied me with a bunch more Firefox Extension signatures. Way cool! I updated the PoC code on the blog. Enjoy!

RSnake discovered a great way to detect installed Firefox extensions using the chrome: protocol handler. I liked it so much and in keeping CSS/JS History Hack, I just had to have some proof-of-concept code for the blog. I improved upon his design a bit, making it more complete as far as popular extensions go and easier to add new signatures. On the right side column look for the "I know what you've got" heading. Below you should see a list of detected extensions, if any. Again, I'm not capturing this data, just redisplaying it.

The chrome protocol handler enables reaching into the FF browser extensions folder to access image resources. For instance the Google Toolbar has chrome://google-toolbar/skin/icon.png. For detection create an IMG DOM Object with an onload event handler. If the onload event handler fires, you know the extension is there because the URL is unique.

If you have more signatures with extension names and unique-chrome-url, comment them in and I'll add them to the list. And I agree with RSnake that we'll have to dig deeper into the chrome handler to see if any issues exist with the extensions. So much research, so little time.

Steph, that's a really good question. First I would say that if someone knows your extensions that its is a privacy issue, not necessarily a security one. And for the moment the violation is not THAT bad. The only way to prevent detection is to either disable JavaScript, yuck, or uninstall the extension, worse. Running for the hills is of course optional.

But when you posed the question what ran through my mind was the future research that has yet to be done that RSnake mentioned. Do FF extensions have security issues that we can take advantage of from JavaScript space? The answer is "I don't know", but again we haven't looked. So maybe this could eventually turn into a security issue in the near future. We'll have to wait and see.

This is no option, because any available extension can be traced, so one has to uninstall all of them.

I'm an extension developer myself, and i think a few measures can be made from our side: not implement the images in the extension, at least that would be a tradeoff, it is possible then to detect on other files in in the extension folder i know. The images are only visible in the extension manager mostly, and are not needed in anyway, one can do without them.

It is also possible to detect other files in the extension folder which incorporates other data.

The thing i am afraid of is that there could be code flaws in some extensions, and in combination with the detection and some good ajax programming could lead to exploits.

And really i have no suggestions how to fix and address this issue, i have questioned other Mozilla developers, and awaiting awnsers.